Adaptive Segmentationmicro-segmentation September 11, 2020

Balancing Security and User Experience with Illumio and F5

Andrew Kay, Regional Sales Engineer

Today’s Asia Pacific consumers frequently choose frictionless experiences over security. But they still expect the organisations they rely on to provide services that also safeguard their data.

In a recent study by F5, more than 9 in 10 users say they would choose convenience and frictionless application user experiences over security, yet 3 out of 4 assign security responsibilities to either businesses or governments, with only a quarter of respondents believing it is the user’s responsibility to protect their own data.

Although a significant percentage of the consumer respondents were not even aware of breaches to government sites or high-use applications, these findings reveal a delicate balancing act between security and convenience for which businesses and governments are being held responsible. Especially considering that trust in an organisation’s abilities to protect sensitive customer data is waning.

So, how can businesses and government departments alike leverage their investments in the data centre and cloud to support the responsiveness and availability of their systems for security? For starters, they can look to integrated platforms that help operationalise additional security controls without increasing overhead on their own resources.Illumio’s technology partnership with F5 does just that.

Illumio and F5: Much Needed Balance

F5 has had a successful journey– from load balancing through to an application delivery controller adding security services such as SSL offload, WAF and DDoS mitigation, built on the full-proxy architecture of its traffic management OS. A key element of this was the BIG-IP Local Traffic Manager (LTM)and Advanced Firewall Manager (AFM)modules where the recipes for load balancing scenarios, as well as network security policy, could be captured in the form of iRules and virtual server policies to protect the data centre and cloud.

Illumio, with an albeit more recent start in life, is the leader in Zero Trust. We help multinationals, government and state departments, top financial services organizations, web scale tech companies, retailers, and more understand and visualize how their applications communicate, easily determine which security policies are required, and ultimately safely deploying east-west traffic controls into the existing stateful firewalls that companies have already invested in– the host-based operating systems firewalls within Windows Linux, AIX and Solaris, as well F5 security services within BIG-IP– without downtime or risk of outage.

For those looking to gain visibility, simplify security, and confidently deliver agile, scalable, microservices-architected applications with network security policy that is automatically applied to new workloads, adjusted for scale out or in, recalculated during migration, and maximises the utility of existing control planes (LTM/AFM and host-based OS firewalls): Illumio and F5 together provide that much-needed balance.

Why it works

Illumio first provides the all-important understanding of real-time application traffic in visualisations of application dependencies and East-West flows. From this understanding of the communications between the business servers and the infrastructure that runs and makes them highly available (regardless of form factor, cloud or data centre network), Illumio enforces consistent security policy across the data center and cloud from a single policy management plane and policy model. It was our customers who told us that host-based control with granular security policy gets them to Zero Trust; however, their segmentation vision is even more complete with the ability to put granular policy on network switches and application delivery controllers.

But it is challenging to maintain security policy on devices without an understanding of the application environment, and without automation to adapt to changes in the topology, scale, and members of the virtual server pools, and this desirable goal is often not achieved or managed with considerable cost to operation.

Thus, Illumio dynamically discovers virtual servers (VIP with port + protocol and SNAT pools) and drives precise control for F5 BIG-IP via API to:

  • F5-LTM – restricting application access through virtual server iRules and datagroup-lists modules. Datagroup-lists are modified on the fly based on topology changes.
  • F5-AFM – stateful application firewalling with non-global section virtual server policies and address-lists. Address-lists are modified on the fly based on topology changes.

Enterprises in Asia and Australasia can also benefit as others have across common use cases that include:

  • Application access (ringfencing): A major global bank incorporates Illumio policy being programmed into F5 that fronts application workloads. Illumio ensures that security policy automatically adapts as workloads behind the F5 morph.
  • Application load balancing (tiered separation): A high-profile web company deploys F5 between the Presentation and Logic + Persistent tiers of their 3-tiered web application design pattern with Illumio enforcing granular access between the tiers and reporting flows via visualisation.
  • Securing older, purpose-built systems: A large retailer uses F5 as the closest upstream enforcement point for workloads not directly supported by Illumio’s primary OS host-based firewall approach. They use AFM to provide stateful security services between the application servers and mainframe and mainframe to databases that automatically reconfigure policy based on topology changes.

With the control plane available in existing technology that these and many organisations have, optimizing the usage of it through reducing inefficient, human error-prone, and costly change control by automated policy delivered via API is the step needed to achieve the expectations of consumers to have responsive, available, and secure applications to interact with.

Curious how effective this approach really is? Check out this F5 alliance summary to learn more or visit the Illumio partner page for more information.

Adaptive Segmentationmicro-segmentation
Share this post:

Try Illumio Edge